Skip to content

mxgrub: Configure Linux to trust CPU manufacturer for CRNG purposes #113

Commits on Jan 9, 2020

  1. mxgrub: Add random.trust_cpu=on to Linux command line

    On fast booting systems, *amaru* with an NVMe SSD, several messages like
    below can be seen.
    
        $ dmesg | grep random
        [    0.293967] random: get_random_bytes called from start_kernel+0x310/0x4d3 with crng_init=0
        [    5.203127] random: fast init done
        [    5.789242] random: systemd-random-: uninitialized urandom read (512 bytes read)
        [    6.648002] random: dbus-daemon: uninitialized urandom read (12 bytes read)
        [    6.649848] random: mxnetctl: uninitialized urandom read (4 bytes read)
        [    7.978264] random: crng init done
        [    7.978265] random: 7 urandom warning(s) missed due to ratelimiting
    
    The Linux kernel is built without `RANDOM_TRUST_CPU`.
    
    > config RANDOM_TRUST_CPU
    >         bool "Trust the CPU manufacturer to initialize Linux's CRNG"
    >         depends on X86 || S390 || PPC
    >         default n
    >         help
    >         Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or
    >         RDRAND, IBM for the S390 and Power PC architectures) is trustworthy
    >         for the purposes of initializing Linux's CRNG.  Since this is not
    >         something that can be independently audited, this amounts to trusting
    >         that CPU manufacturer (perhaps with the insistence or mandate
    >         of a Nation State's intelligence or law enforcement agencies)
    >         has not installed a hidden back door to compromise the CPU's
    >         random number generation facilities. This can also be configured
    >         at boot with "random.trust_cpu=on/off".
    
    This is a good default, and as we do not want to rebuild the installed Linux
    kernels, choose the option to configure this at boot time by adding
    
        random.trust_cpu=on
    
    to the Linux command line. Should there be indications, that the CPU
    manufacturers cannot be trusted, we have to think about different means,
    by for example plugging in a [ChaosKey][1] into every system. ;-)
    
    [1]: https://altusmetrum.org/ChaosKey/
    
    Fixes: mariux64/bee-files#1556
    pmenzel committed Jan 9, 2020
    Configuration menu
    Copy the full SHA
    5cd3da7 View commit details
    Browse the repository at this point in the history